You will need a SOHO subscription or above to be able to use a remote Elasticsearch database. As for the username and password, it is recommended to use a dedicated services account for Zenarmor.įigure 3: Zenarmor database settings wizard Just a few things to note here, because security has been disabled I am able to connect via HTTP to this service without a username and password, however, with security enabled you will be forced to use HTTPS. The setup is straightforward, you need to supply the Elasticsearch database URL, in my case it's http ://192.168.1.104:9200 followed by a blank username and password. Zenarmor has three recommended database options for you to choose from, two of which are MongoDB and SQLite which will be installed locally on your firewall and the third is a remote Elasticsearch option that we are going to select and configure. Once you accept the terms and agree, the next part of the wizard prompts you to choose your database settings. Don't use this in production environments Step 2: Setting up Zenarmor to stream reporting data to your remote ELK stackĪt this point in the tutorial, I assume that you already have your ELK stack operational and Zenarmor installed awaiting its initial configuration using the configuration wizard.įigure 2: Zenarmor initial configuration wizard logstash/conf.d/:/usr/share/logstash/pipeline/:roįigure 1: Basic docker-compose.yml configuration to get Elasticsearch and Kibana running quickly with the security features disabled. # Disabled Logstash since we don't need it, however, this is where that config would go if you need to set this up. ELASTICSEARCH_HOSTS= #- ELASTICSEARCH_USERNAME=$ Image: /elasticsearch/elasticsearch:8.9.1 If you are interested in building a production-ready ELK stack using docker-compose you can check out the Elastic documentation and GitHub which I have included here for your convenience. Please DO NOT use this configuration for production environments for obvious reasons. Just an important note here, in order to get Elasticsearch and Kibana spun up as quickly as possible, I have purposely disabled all the built-in security features that can tend to be a bit tricky to set up especially when you just want to explore the platform, and its functionality in your lab. All you will need is a machine or VM running docker and you will have an ELK stack deployed in a few minutes. For those of you who don't have ELK running and would still like to explore this integration in your lab environment, I have provided a docker-compose.yml configuration below that will provide a quick means to spin up Elasticsearch and Kibana using docker containers. If you already have ELK running you can skip this step and move to step 2. To get the most benefit out of this tutorial you are going to need a functioning ELK stack. Step 1: Setting up your ELK stack (Optional) If you have not already guessed, in this article, we are going to explore how to set up Zenarmor to offload and stream its log data to an ELK stack, so let's get started. You can easily stream all reporting data from all your Zenarmor deployments to a central location for safekeeping.īy having all this data stored centrally, you can easily tap into it with your SIEM tools to quickly detect, investigate, and respond to potential threats.Įlasticsearch by design is highly scalable and offers performance advantages over the alternative locally run database options you can use with Zenarmor like MongoDB and SQLite, and is the recommended database choice if you have a large network with many endpoints.īy offloading the reporting data to a remote Elasticsearch database, you can essentially free up resources on your Zenarmor firewalls, especially those with limited storage resources, leaving them to do what they do best, filtering traffic, without having to worry about writing log data to disk. Some benefits of integrating Zenarmor with your remote ELK stack are: Based on its popularity and the advantages it offers, it makes sense that enterprise-ready products like Zenarmor prioritize offering direct and easy integration to this platform. The ELK stack (Elasticsearch, Logstash, and Kibana), also known as the Elastic stack is a popular platform used by organizations to collect, search, analyze, and visualize data from any sources and in the context of cybersecurity can be used as a Security Information and Event Management (SIEM) solution with the correct integrations.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |